CVE-2025-67743
BaseFortify
Publication date: 2025-12-23
Last updated on: 2025-12-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| learningcircuit | local_deep_research | From 1.3.0 (inc) to 1.3.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67743 is a Server-Side Request Forgery (SSRF) vulnerability in the local-deep-research package, specifically in the download service component. The issue arises because the download service makes HTTP requests using raw requests.get() calls without using the application's built-in SSRF protection mechanisms. This allows attackers to submit malicious URLs through the API, which are then fetched by the download service without validation. As a result, attackers can access internal services, cloud provider metadata endpoints (such as AWS, GCP, Azure), and perform internal network reconnaissance depending on the deployment and surrounding controls. The vulnerability has been patched by replacing unsafe HTTP requests with SSRF-protected wrappers that block access to sensitive internal addresses and metadata endpoints. [2, 1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to access internal services and sensitive cloud provider metadata endpoints, such as those on AWS, GCP, or Azure. Attackers can exploit this to steal cloud credentials, access internal databases and services, and perform internal network reconnaissance. This can lead to unauthorized access to sensitive data like database passwords, API keys, and admin tokens. The attack requires low privileges and no user interaction, making it a significant risk in cloud or corporate network deployments of local-deep-research. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the source code for unsafe HTTP request calls that bypass SSRF protections. Specifically, you can use the provided pre-commit hook script `check-safe-requests.py` which statically analyzes Python source files to detect direct usage of unsafe `requests` methods such as `requests.get()`, `requests.post()`, and `requests.Session()` that do not use the secure wrappers. Additionally, Semgrep rules integrated into the CI pipeline can automatically detect unsafe requests usage. There are no specific network commands provided to detect exploitation on the network or system. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the local-deep-research package to version 1.3.9 or later where the issue is patched. Replace all direct calls to `requests.get()` in `download_service.py` and other affected files with the secure wrapper `safe_get()` from `security/safe_requests.py`. Also replace `requests.Session()` with `SafeSession()` to enforce SSRF protection. Ensure that the pre-commit hook and CI Semgrep rules are in place to prevent unsafe HTTP requests from being introduced. Blocking access to the AWS metadata endpoint (169.254.169.254) and other internal IP ranges via these wrappers is part of the fix. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to access internal services and cloud provider metadata endpoints, potentially exposing sensitive data such as database passwords, API keys, and admin tokens. Such unauthorized access and data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access. Therefore, the vulnerability poses a risk to compliance with these standards by enabling potential data breaches and unauthorized data disclosure. [2]